Optimally Designing Cybersecurity Insurance Contracts to Encourage the Sharing of Medical Data

Though the sharing of medical data has the potential to lead to breakthroughs in health care, the sharing process itself exposes patients and health care providers to various risks. Patients face risks due to the possible loss in privacy or livelihood that can occur when medical data is stolen or used in non-permitted ways, whereas health care providers face risks due to the associated liability. For medical data, these risks persist even after anonymizing/deidentifying, according to the standards defined in existing legislation, the data sets prior to sharing, because shared medical data can often be deanonymized/reidentified using advanced artificial intelligence and machine learning methodologies. As a result, health care providers are hesitant to share medical data. One possible solution to encourage health care providers to responsibly share data is through the use of cybersecurity insurance contracts. This paper studies the problem of designing optimal cybersecurity insurance contracts, with the goal of encouraging the sharing of the medical data. We use a principal-agent model with moral hazard to model various scenarios, derive the optimal contract, discuss its implications, and perform numerical case studies. In particular, we consider two scenarios: the first scenario is where a health care provider is selling medical data to a technology firm who is developing an artificial intelligence algorithm using the shared data. The second scenario is where a group of health care providers share health data amongst themselves for the purpose of furthering medical research using the aggregated medical data.